Privacy Impact Assessment Report on the Veterans Review and Appeal Board Scheduling Application
Executive Summary
The Veterans Review and Appeal Board (VSA, the Board) is an independent, quasi-judicial tribunal created in 1995. The Board provides an appeal program for service-related disability decisions made by Veterans Affairs Canada (VAC). This program gives applicants two levels of redress for disability benefits decisions and the final level of appeal for War Veterans Allowance claims. The Board's goal is to ensure that Veterans, Canadian Armed Forces and RCMP members, and their families receive the benefits they are entitled to under the law.
This report presents the findings of the Privacy Impact Assessment (PIA) on the VRAB Scheduling Application (VSA).
The VSA is a web-based application which assists the process of scheduling hearings and tracks internal business processes to ensure that legislative requirements are met while providing the best service to applicants. The VSA captures all aspects of scheduling including information on Board Members and it also tracks applications throughout all stages of the redress process. Viewing of this information is restricted to Members and authorized VRAB staff. The VSA has linkages to VAC's Client Service Delivery Network (CSDN) but is a separate, VRAB-controlled and managed system.
The VSA allows the uploading of digital statements of case (SOC) and digital recordings of review hearings to the CSDN. Another component allows for the tagging and searching of documents for research related to providing consistent and quality decisions.
VRAB is committed to protecting the personal information of all applicants and has taken the appropriate measures to ensure that all aspects of the VSA conform to the law and principles of the Privacy Act and Regulations as well as TBS policies, directives, and practices.
Risk Area Identification and Categorization
The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level.
a) Type of program or activity
Risk scale: 2
Administration of program or activity and services
b) Type of personal information involved and context
Risk scale: 1
For the information actually stored within the VSA - only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.
Risk scale: 3
For the information stored in the CSDN and viewed through the VSA - Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.
c) Program or activity partners and private sector involvement
Risk scale: 1
Within the institution (among one or more programs within the same institution)
d) Duration of the program or activity
Risk scale: 3
Long-term program or activity
e) Program population
Risk scale: 1
The program's use of personal information for internal administrative purposes affects certain employees.
f) Technology and privacy
Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?
Yes, it is the new system that is being assessed in this PIA.
Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?
No
Specific technological issues and privacy:
Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities: enhanced identification methods; surveillance; or automated personal information analysis, personal information matching and knowledge discovery techniques?
No
g) Personal information transmission
Risk scale: 2
The personal information is used in a system that has connections to at least one other system. (The VSA is connected to VAC's CSDN)
h) Privacy breach
Potential risk that in the event of a privacy breach, there would be an impact on the individual or employee:
VRAB considers this to be a low risk.
In the event of a breach related to an electronic hearing recording or statement of case, there would be some impact on an individual or employee. That impact is reduced by:
- Reducing the risk of breaches within the institution.
- Discovering breaches quickly.
- Training staff how to respond to breaches.
- Ensuring that the information, in the event of a breach, has a narrow distribution.
i) Privacy breach - impact on institution
Potential risk that in the event of a privacy breach, there will be an impact on the institution:
In the event of any privacy breach, there would be some impact on the institution's credibility and on the trust in its privacy practices.
Conclusion:
Most of the privacy risk issues identified in this PIA relate to internal processes of the institution and will be resolved in the next fiscal year, or at the time of the updating of certain work descriptions.
VAC has advised that a project has been initiated to resolve the issue associated with the inability of the CSDN and VSA to dispose of electronic client information at the end of its life cycle.
Update (January 2017)
The majority of the privacy risk issues identified in this PIA have been resolved. Training will continue to be provided and/or sought as needed and certain work descriptions will be updated on their next review. A new target date has been set for one of the low risk items.
The VAC project to resolve the issue associated with the inability of the CSDN and VSA to dispose of electronic client information at the end of its life cycle has been put on hold. The Board is, however, able to delete documents in VSA.
Personal Information Bank:
Reviews, Appeals and Compassionate Awards
TBS Registration: 003480
Bank Number: VRAB PPU 080